Sumo Logic Integration Guide
Arbitex streams audit events to Sumo Logic using an HTTP Source endpoint. Authentication is embedded in the HTTP Source URL — no separate API key is required. Events are formatted as OCSF v1.1 JSON and sent as newline-delimited JSON (NDJSON) in batches.
Prerequisites
Section titled “Prerequisites”- A Sumo Logic account with a Continuous tier or higher (to support custom log ingestion volume)
- An HTTP Source configured on a Hosted Collector
- The HTTP Source URL (generated by Sumo Logic; authentication is embedded)
- Outbound HTTPS from Arbitex platform pods to
collectors.sumologic.com(or your Sumo Logic endpoint) on port 443
Create an HTTP Source
Section titled “Create an HTTP Source”- In Sumo Logic, go to Manage Data → Collection → Add Collector → Hosted Collector.
- On the collector, click Add Source → HTTP Logs & Metrics.
- Set the Source Category to
arbitex/audit(you can override this withSUMO_SOURCE_CATEGORY). - Complete the wizard. Sumo Logic generates a unique HTTP Source URL — copy it. This URL contains embedded authentication and must be kept secret.
Configuration
Section titled “Configuration”| Variable | Required | Default | Description |
|---|---|---|---|
SUMO_HTTP_SOURCE_URL | Yes | — | HTTP Source endpoint URL (authentication embedded) |
SUMO_SOURCE_CATEGORY | No | arbitex/audit | Source category metadata (X-Sumo-Category header) |
SUMO_SOURCE_NAME | No | arbitex-platform | Source name metadata (X-Sumo-Name header) |
SUMO_SOURCE_HOST | No | System hostname | Source host metadata (X-Sumo-Host header) |
SUMO_BATCH_SIZE | No | 100 | Maximum events per batch |
SUMO_FLUSH_INTERVAL | No | 5 | Maximum seconds between batch flushes |
SUMO_MAX_RETRIES | No | 3 | Maximum retry attempts on transient failures |
SUMO_DEAD_LETTER_PATH | No | /var/log/arbitex/sumo_dead_letter.jsonl | Path for the dead letter queue file |
Example configuration
Section titled “Example configuration”SUMO_HTTP_SOURCE_URL=https://collectors.sumologic.com/receiver/v1/http/ZaVnC...SUMO_SOURCE_CATEGORY=arbitex/auditSUMO_SOURCE_NAME=arbitex-platformThe HTTP Source URL is sensitive — treat it like a credential and store it in a Kubernetes Secret or equivalent secrets store.
Event format
Section titled “Event format”Events are sent as NDJSON (one JSON object per line) with Sumo Logic metadata headers:
POST https://collectors.sumologic.com/receiver/v1/http/ZaVnC...X-Sumo-Category: arbitex/auditX-Sumo-Name: arbitex-platformX-Sumo-Host: arbitex-platform-pod-abc123Content-Type: application/x-ndjson
{"class_uid":6003,"class_name":"API Activity","severity":"Informational","time":1741737600000,"actor":{"user":{"email_addr":"alice@example.com"},"org":{"uid":"org_01jq..."}},"src_endpoint":{"ip":"203.0.113.45"},...}{"class_uid":2001,"class_name":"Security Finding","severity":"High","time":1741737601000,...}Sumo Logic parses each line as a separate log message. The OCSF fields are available for search and parsing with Field Extraction Rules (FER).
Health check
Section titled “Health check”The connector health check sends an empty POST to the HTTP Source URL. A 200 response indicates the endpoint is reachable and valid. A 4xx response indicates the URL is invalid or expired.
Verification
Section titled “Verification”Check connector health
Section titled “Check connector health”curl -s -H "Authorization: Bearer $ADMIN_TOKEN" \ https://api.arbitex.ai/api/admin/siem/connectors | jq '.[] | select(.connector_id == "sumo_logic")'A healthy connector returns "status": "healthy" and a truncated http_source_url value.
Search in Sumo Logic
Section titled “Search in Sumo Logic”In the Sumo Logic Log Search, query:
_sourceCategory=arbitex/auditTo find API activity in the last 15 minutes:
_sourceCategory=arbitex/audit class_name="API Activity" | count by actor.org.uidConfigure a Field Extraction Rule
Section titled “Configure a Field Extraction Rule”To make OCSF fields searchable as indexed metadata, create a Field Extraction Rule in Sumo Logic:
- Go to Manage Data → Logs → Field Extraction Rules → Add Rule.
- Set Scope to
_sourceCategory=arbitex/audit. - Set Parse Expression to
json auto.
This enables field-based filtering on all OCSF JSON keys.
Troubleshooting
Section titled “Troubleshooting”| Symptom | Likely cause | Resolution |
|---|---|---|
status: not_configured | SUMO_HTTP_SOURCE_URL not set | Set the variable and restart the platform |
status: degraded | HTTP Source URL invalid or expired | Regenerate the HTTP Source URL in Sumo Logic and update the variable |
| 400 or 401 on send | URL revoked or malformed | Delete and recreate the HTTP Source; update the URL |
| Events not appearing | Wrong source category in search | Search _sourceCategory=arbitex/audit or remove the category filter |
If the HTTP Source URL is compromised or expired, delete it in Sumo Logic and create a new one. Update SUMO_HTTP_SOURCE_URL and restart the platform. Dead letter events are written to SUMO_DEAD_LETTER_PATH in JSONL format and are not automatically replayed.